Friday, 6 January 2023

LastPass Hit With Class Action Lawsuit Following Data Breach

(Credit: René Ramos; LastPass)
(Credit: René Ramos; LastPass)
It was inevitable that someone would file a lawsuit against LastPass in the wake of its recent security snafus, and sure enough, an unidentified Pennsylvania resident has filed a class action against the company. The plaintiff claims that they had $53,000 in Bitcoin stolen, a crime they blame on the theft of LastPass user data in November 2022. The case may become an even bigger headache for LastPass as users are increasingly sharing stories of account breaches they believe are a result of the breach.

The problems began in August 2022 when unknown attackers made off with technical data from LastPass’ servers. A few months later, the cybercriminals were back, using the stolen data to get their hands on user password vaults. LastPass sought to assuage fears by reminding everyone that the vaults are encrypted and LastPass does not store the master passwords that would unlock them. Although, the company’s security practices have since been roundly criticized by experts in the field, as well as its competitors.

The unidentified plaintiff claims their cryptocurrency was secured with a unique password generated by LastPass and used the service to store “highly sensitive private keys” for accessing the funds. And yet, the user’s crypto wallet was cleaned out shortly after the breach. If, as the Pennsylvania man claims, the keys were only stored in LastPass, that shows the vault files are not as secure as the company claims. Other stories are popping up on the internet that lend credence to the claims in the lawsuit. Users who move their password data to Google have seen their unique LastPass passwords reported as compromised, and others say they’ve seen more suspicious phishing attempts that may be related to the breach.

Credit: LastPass

The lawsuit alleges that LastPass mischaracterized its security practices as “stronger-than-typical” when, in fact, it was lax. For example, it only started requiring new master passwords to be 12 characters long in 2018, and it runs only 100,100 iterations of the PBKDF2 algorithm to hash passwords when the industry standard is 310,000 iterations. The plaintiff also cites the company’s “unreasonably delayed” notification of users as an example of negligence.

You don’t have to do anything right now if you think you’re a member of the class. These cases can take years to resolve, but the upshot is you don’t have to pay any legal fees. You may end up with a small payout at the conclusion, but be wary of emails promising settlement money or you could end up hacked all over again.

Now read:



No comments:

Post a Comment